ACME-DNS For DNS-01 Challenges


#1

I can recommend acme-dns (https://github.com/joohoi/acme-dns) for anyone who is interested in setting up their dns challenge infrastructure in a maintanable and secure way.


ACME v2 and Wildcard Certificate Support is Live
#2

@Yannik it means that it replace the dns completely or is it something else ?


#3

You CNAME your _acme-challenge to the acme-dns server. Therefore you are not reliable on an API for dns updates from your registrar. It also prevents security issues where a compromised host is able to update all dns records of all your domains.


#4

Wait sait, take a step backward please. Is it an alternative server ? Or not ?


#5

It’s a server, but not one which will completely replace the current DNS server. The idea is to only use it for the DNS challenges. It’s probably not a fully implemented DNS server compared to for example BIND or PowerDNS.


#6

Gréât sorry to have insisted but i needed some context. I m going to read your doc more carefully


#7

The information you seek is very well explained in the README of the project on its Github site.


#8

Will this also work for the new ACMEv2 + Wildcards?


#9

Yes. Wildcards also use the DNS challenge as provided with this program.


#10

Step 1 - Get Credentials from register API endpoint
Step 2 - create CNAME using full domain
Step 3 ? - Get DNS challenge values from CertBot-Auto <— how is this done?
Step 4 - Hit update API endpoint with credentials
Step 5 - Get / Update Certificate

Am I missing something?


#11

If manually creating and renewing your certificates is okay, you can use Certbot’s manual mode, e.g. with “certbot certonly --manual --preferred-challenges dns -d example.com”. That tells you what TXT record to set, but leaves the work up to you. When using acme-dns, you could copy and paste the TXT record and use curl to call the acme-dns API to set it. (Then you hit Enter to tell Certbot you’ve set the record, and it continues issuing the certificate.)

You can automate it by using --manual-auth-hook (despite the ironic name) to specify a shell script or somesuch that makes the HTTP request to acme-dns.


#12

Perfect, was missing the “manual-auth-hook” , this is perfect thank you


#13

3 posts were split to a new topic: Why clients don’t implement their own DNS responder


#15

The readme answers many of my initial questions, very well-written. I’d probably use it if I had a list of specific IP addresses Let’s Encrypt could come from, otherwise I’m pretty leery of leaving a DNS server on the wider 'net unnecessarily, even a stripped-down one, due to it’s usefulness in DDoS.

Hmm, actually you could make part of the hook be to spin up the server just long enough to respond, and then go down again after the session is done.


#16

Feel free to publish your implementation of the manual-auth-hook for acme-dns :slight_smile:
I don’t use certbot personally, but others would probably appreciate it! (I was thinking of a “compatible letsencrypt clients/client hooks” section in the README)


#17

The DNS implementation does not recursively resolve requests, but will just respond with NXDOMAIN for anything that is not a TXT request for a previously set up subdomain. Therefore this is a non-issue IMO.


#18

Im really really close, just gotta solve this last issue

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for evanpolicinski.com
Output from 8-set-token.sh:
{"txt": "1HQjYS6NlSne1RCeCxfTisFAwr8-9fEbGEQ4jWtzBnQ"}
Error output from 8-set-token.sh:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 195 100 54 100 141 436 1139 --:--:-- --:--:-- --:--:-- 1146

Waiting for verification...
Cleaning up challenges
Failed authorization procedure. evanpolicinski.com (dns-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.evanpolicinski.com
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: evanpolicinski.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.evanpolicinski.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Any insight would be helpful, im assuming i don’t have my config setup correctly or my acme-dns DNS isn’t setup correctly.

— Update

It seems that acme-dns server isn’t opening port 53, im going to assume thats why for now


#19

I’m not sure what your design is, but currently the acme-dns DNS server isn’t in use.

  • evanpolicinski.com. uses DigitalOcean DNS.
  • _acme-challenge.evanpolicinski.com. is a CNAME to c8eabe0c-0c12-41bb-a49f-91c82a8718f5.dns.codepier.io..
  • c8eabe0c-0c12-41bb-a49f-91c82a8718f5.dns.codepier.io. doesn’t exist.
  • codepier.io. also uses DigitalOcean DNS.

However it’s arranged, ultimately it needs to be delegated to the acme-dns DNS server. Instead, everything is just delegated to DigitalOcean’s nameservers.

Some subdomain – dns.codepier.io., with this setup, I guess – needs to be delegated to your acme-dns DNS server.

Edit:

That would also be an issue, but it would result in a SERVFAIL error. Right now there’s an NXDOMAIN from the DO nameservers. acme-dns isn’t being consulted.


#20

hmmmm, I guess ill have to do more research on how to set that up . Thanks for the quick replies !


#21

Thanks !!! got it working!!